NotJustExam Interactive Question Bank | [Amazon] DVA-C02

Question 1

A company is implementing an application on Amazon EC2 instances. The application needs to process incoming transactions. When the application detects a transaction that is not valid, the application must send a chat message to the company's support team. To send the message, the application needs to retrieve the access token to authenticate by using the chat API.
A developer needs to implement a solution to store the access token. The access token must be encrypted at rest and in transit. The access token must also be accessible from other AWS accounts.
Which solution will meet these requirements with the LEAST management overhead?

A. Use an AWS Systems Manager Parameter Store SecureString parameter that uses an AWS Key Management Service (AWS KMS) AWS managed key to store the access token. Add a resource-based policy to the parameter to allow access from other accounts. Update the IAM role of the EC2 instances with permissions to access Parameter Store. Retrieve the token from Parameter Store with the decrypt flag enabled. Use the decrypted access token to send the message to the chat.
B. Encrypt the access token by using an AWS Key Management Service (AWS KMS) customer managed key. Store the access token in an Amazon DynamoDB table. Update the IAM role of the EC2 instances with permissions to access DynamoDB and AWS KMS. Retrieve the token from DynamoDDecrypt the token by using AWS KMS on the EC2 instances. Use the decrypted access token to send the message to the chat.
C. Use AWS Secrets Manager with an AWS Key Management Service (AWS KMS) customer managed key to store the access token. Add a resource-based policy to the secret to allow access from other accounts. Update the IAM role of the EC2 instances with permissions to access Secrets Manager. Retrieve the token from Secrets Manager. Use the decrypted access token to send the message to the chat.
D. Encrypt the access token by using an AWS Key Management Service (AWS KMS) AWS managed key. Store the access token in an Amazon S3 bucket. Add a bucket policy to the S3 bucket to allow access from other accounts. Update the IAM role of the EC2 instances with permissions to access Amazon S3 and AWS KMS. Retrieve the token from the S3 bucket. Decrypt the token by using AWS KMS on the EC2 instances. Use the decrypted access token to send the massage to the chat.

Correct Answer: C

Explanation:

The best solution to meet the requirements with the least management overhead is C. Use AWS Secrets Manager with an AWS Key Management Service (AWS KMS) customer managed key to store the access token. Add a resource-based policy to the secret to allow access from other accounts. Update the IAM role of the EC2 instances with permissions to access Secrets Manager. Retrieve the token from Secrets Manager. Use the decrypted access token to send the message to the chat.

Reasoning:

Secrets Manager is designed specifically for managing secrets, providing features like automatic rotation, encryption at rest and in transit, and fine-grained access control.
Using a customer-managed KMS key allows for cross-account access through resource-based policies.
Retrieving secrets from Secrets Manager is straightforward and handles decryption automatically.
This approach minimizes the operational overhead compared to other solutions.

Reasons for not choosing the other options:

A: While Parameter Store SecureString can store encrypted data and use KMS, it's not specifically designed for secrets management like Secrets Manager. It requires more manual configuration for cross-account access and doesn't offer built-in rotation capabilities.
B: Storing the access token in DynamoDB and manually encrypting it adds complexity. It requires managing encryption and decryption logic within the application, increasing overhead. DynamoDB is not designed for storing secrets.
D: Storing the access token in S3 and manually encrypting it adds complexity. It requires managing encryption and decryption logic within the application, increasing overhead. S3 is not designed for storing secrets, and managing encryption/decryption and access control would be more complex than using Secrets Manager.

AWS Secrets Manager, https://aws.amazon.com/secrets-manager/
AWS Key Management Service (KMS), https://aws.amazon.com/kms/

Question 2

A company is running Amazon EC2 instances in multiple AWS accounts. A developer needs to implement an application that collects all the lifecycle events of the EC2 instances. The application needs to store the lifecycle events in a single Amazon Simple Queue Service (Amazon SQS) queue in the company's main AWS account for further processing.
Which solution will meet these requirements?

A. Configure Amazon EC2 to deliver the EC2 instance lifecycle events from all accounts to the Amazon EventBridge event bus of the main account. Add an EventBridge rule to the event bus of the main account that matches all EC2 instance lifecycle events. Add the SQS queue as a target of the rule.
B. Use the resource policies of the SQS queue in the main account to give each account permissions to write to that SQS queue. Add to the Amazon EventBridge event bus of each account an EventBridge rule that matches all EC2 instance lifecycle events. Add the SQS queue in the main account as a target of the rule.
C. Write an AWS Lambda function that scans through all EC2 instances in the company accounts to detect EC2 instance lifecycle changes. Configure the Lambda function to write a notification message to the SQS queue in the main account if the function detects an EC2 instance lifecycle change. Add an Amazon EventBridge scheduled rule that invokes the Lambda function every minute.
D. Configure the permissions on the main account event bus to receive events from all accounts. Create an Amazon EventBridge rule in each account to send all the EC2 instance lifecycle events to the main account event bus. Add an EventBridge rule to the main account event bus that matches all EC2 instance lifecycle events. Set the SQS queue as a target for the rule.

Correct Answer: D

Explanation:

The recommended answer is D.
Reasoning: The most efficient and scalable solution involves leveraging Amazon EventBridge's ability to send and receive events between AWS accounts. Each account can send EC2 lifecycle events to a central EventBridge event bus in the main account, which then routes these events to the SQS queue. This approach centralizes event processing and minimizes the need for custom code or polling mechanisms.

Configure the permissions on the main account event bus to receive events from all accounts.
Create an Amazon EventBridge rule in each account to send all the EC2 instance lifecycle events to the main account event bus.
Add an EventBridge rule to the main account event bus that matches all EC2 instance lifecycle events.
Set the SQS queue as a target for the rule.

Why other options are not optimal:

A: While this option uses EventBridge, it's less clear on how the EC2 instances in different accounts are configured to send events to the main account's EventBridge in the first place. Option D clearly states each account will send EC2 events to the main account event bus.
B: While technically feasible, granting each account direct write access to the SQS queue is less secure and harder to manage than using EventBridge for cross-account event delivery. EventBridge offers better control and auditability.
C: This option is highly inefficient and not scalable. Polling EC2 instances using a Lambda function is resource-intensive and can lead to delayed event detection. EventBridge provides a real-time, event-driven approach that is much more suitable.

Title: Publishing and subscribing to events across AWS accounts, https://aws.amazon.com/blogs/compute/publishing-and-subscribing-to-events-across-aws-accounts/

Question 3

An application is using Amazon Cognito user pools and identity pools for secure access. A developer wants to integrate the user-specific file upload and download features in the application with Amazon S3. The developer must ensure that the files are saved and retrieved in a secure manner and that users can access only their own files. The file sizes range from 3 KB to 300 MB.
Which option will meet these requirements with the HIGHEST level of security?

A. Use S3 Event Notifications to validate the file upload and download requests and update the user interface (UI).
B. Save the details of the uploaded files in a separate Amazon DynamoDB table. Filter the list of files in the user interface (UI) by comparing the current user ID with the user ID associated with the file in the table.
C. Use Amazon API Gateway and an AWS Lambda function to upload and download files. Validate each request in the Lambda function before performing the requested operation.
D. Use an IAM policy within the Amazon Cognito identity prefix to restrict users to use their own folders in Amazon S3.

Correct Answer: D

Explanation:

The best option for meeting the requirements of secure, user-specific file access in Amazon S3, with the highest level of security, is D: Use an IAM policy within the Amazon Cognito identity prefix to restrict users to use their own folders in Amazon S3.

Reasoning:
This approach leverages the integration between Amazon Cognito and IAM to enforce strict access control at the S3 bucket level. By using the Cognito identity ID as a prefix in the S3 object key (folder name), and then creating an IAM policy that allows users to only access objects with their identity ID as the prefix, you ensure that each user can only access their own files. This method offers the highest level of security because access control is managed directly by AWS IAM and is applied to every request made to S3.

Here's a breakdown of why this is the best approach:

Security: IAM policies are the most secure way to control access to AWS resources. When combined with Cognito identity prefixes, they provide a robust and scalable solution for managing user-specific access to S3 objects.
Direct S3 Access: Users can directly access S3, which can be more efficient and cost-effective than routing all requests through an intermediary service like API Gateway and Lambda.
Scalability: IAM policies are designed to scale to handle a large number of users and resources.

Reasons for not choosing other options:

A: Use S3 Event Notifications to validate the file upload and download requests and update the user interface (UI). This option is primarily for triggering actions based on S3 events (like file uploads). While you could potentially use it to update the UI, it doesn't inherently provide security or prevent users from accessing other users' files directly. It's more of a reactive approach and doesn't proactively enforce access control.
B: Save the details of the uploaded files in a separate Amazon DynamoDB table. Filter the list of files in the user interface (UI) by comparing the current user ID with the user ID associated with the file in the table. This option relies on the application logic to filter the files displayed to the user. While it can prevent users from seeing files they shouldn't, it doesn't prevent them from directly accessing those files in S3 if they know the object key. The filtering is only implemented in the UI, and direct access to S3 is not restricted.
C: Use Amazon API Gateway and an AWS Lambda function to upload and download files. Validate each request in the Lambda function before performing the requested operation. While this option can provide a level of security by validating requests in the Lambda function, it adds complexity and latency to the file upload/download process. It also requires you to manage the authorization logic within the Lambda function, which can be error-prone. Using IAM policies with Cognito identity prefixes is a more secure and scalable way to achieve the same result.

IAM Policies, https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html
Amazon Cognito, https://aws.amazon.com/cognito/

Question 4

A company is building a scalable data management solution by using AWS services to improve the speed and agility of development. The solution will ingest large volumes of data from various sources and will process this data through multiple business rules and transformations.
The solution requires business rules to run in sequence and to handle reprocessing of data if errors occur when the business rules run. The company needs the solution to be scalable and to require the least possible maintenance.
Which AWS service should the company use to manage and automate the orchestration of the data flows to meet these requirements?

A. AWS Batch
B. AWS Step Functions
C. AWS Glue
D. AWS Lambda

Correct Answer: B

Explanation:

The recommended answer is B. AWS Step Functions.

Reasoning:

Step Functions is the best choice because it is a fully managed service specifically designed for orchestrating serverless workflows. It allows you to define and execute workflows as state machines, which can coordinate multiple AWS services, including Lambda functions, AWS Batch jobs, and AWS Glue jobs. This aligns perfectly with the requirement to manage and automate the orchestration of data flows, run business rules in sequence, and handle reprocessing of data if errors occur.
Step Functions provides built-in error handling mechanisms, such as retry and catch, which simplify the implementation of error handling and reprocessing logic.
It scales automatically and requires minimal maintenance, satisfying the scalability and low-maintenance requirements.

Reasons for not choosing other options:

A. AWS Batch: While AWS Batch is suitable for running batch computing workloads, it is not designed for orchestrating complex workflows or managing sequences of tasks with built-in error handling. It primarily focuses on efficiently running compute-intensive jobs.
C. AWS Glue: AWS Glue is a fully managed ETL (extract, transform, and load) service. While it can perform data transformations, it is not designed for orchestrating complex workflows with sequential execution and error handling. AWS Glue primarily focuses on data cataloging, data preparation, and ETL job execution.
D. AWS Lambda: AWS Lambda is a serverless compute service that allows you to run code without provisioning or managing servers. While Lambda functions can be used as individual components within a data processing pipeline, they do not provide a native mechanism for orchestrating complex workflows or managing sequences of tasks with built-in error handling. Using Lambda alone would require significantly more custom code and management overhead for orchestration.

Therefore, considering the need for a scalable, low-maintenance solution to manage and automate the orchestration of data flows, run business rules in sequence, and handle reprocessing of data if errors occur, AWS Step Functions is the most appropriate choice.

Citations:

AWS Step Functions, https://aws.amazon.com/step-functions/
AWS Batch, https://aws.amazon.com/batch/
AWS Glue, https://aws.amazon.com/glue/
AWS Lambda, https://aws.amazon.com/lambda/

Question 5

A developer has created an AWS Lambda function that is written in Python. The Lambda function reads data from objects in Amazon S3 and writes data to an Amazon DynamoDB table. The function is successfully invoked from an S3 event notification when an object is created. However, the function fails when it attempts to write to the DynamoDB table.
What is the MOST likely cause of this issue?

A. The Lambda function's concurrency limit has been exceeded.
B. DynamoDB table requires a global secondary index (GSI) to support writes.
C. The Lambda function does not have IAM permissions to write to DynamoDB.
D. The DynamoDB table is not running in the same Availability Zone as the Lambda function.

Correct Answer: C

Explanation:

The most likely cause of the issue is C. The Lambda function does not have IAM permissions to write to DynamoDB.

Reasoning:
The Lambda function is successfully triggered by the S3 event and can read data. The problem arises specifically when writing to the DynamoDB table. This strongly suggests a permission issue. Lambda functions require explicit IAM permissions to interact with other AWS services. If the Lambda function's IAM role doesn't include the necessary `dynamodb:PutItem` permission (and potentially `dynamodb:UpdateItem` or others depending on the write operation), it will fail to write to the DynamoDB table.

Reasons for eliminating other options:

A. The Lambda function's concurrency limit has been exceeded: While concurrency limits can cause Lambda functions to throttle, the error message would typically indicate throttling. Also, the question states that the function fails specifically when writing to DynamoDB, making a permission issue more likely.
B. DynamoDB table requires a global secondary index (GSI) to support writes: GSIs are primarily used for optimizing read queries, not writes. The absence of a GSI wouldn't directly prevent the Lambda function from writing data to the DynamoDB table, although it might affect performance.
D. The DynamoDB table is not running in the same Availability Zone as the Lambda function: DynamoDB is a globally distributed service, and Availability Zones are abstracted away from the user. The Lambda function and DynamoDB table do not need to be in the same Availability Zone to communicate. DynamoDB replicates data across multiple Availability Zones for durability and availability.

Supporting Citations:

AWS Lambda Permissions, https://docs.aws.amazon.com/lambda/latest/dg/lambda-intro-execution-role.html
IAM and DynamoDB, https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/security-iam.html

Question 6

A developer is creating an AWS CloudFormation template to deploy Amazon EC2 instances across multiple AWS accounts. The developer must choose the EC2 instances from a list of approved instance types.
How can the developer incorporate the list of approved instance types in the CloudFormation template?

A. Create a separate CloudFormation template for each EC2 instance type in the list.
B. In the Resources section of the CloudFormation template, create resources for each EC2 instance type in the list.
C. In the CloudFormation template, create a separate parameter for each EC2 instance type in the list.
D. In the CloudFormation template, create a parameter with the list of EC2 instance types as AllowedValues.

Correct Answer: D

Explanation:

The best approach for incorporating a list of approved EC2 instance types into a CloudFormation template is to use the AllowedValues property within a parameter.

Suggested answer is D.

Reasoning for choosing D:

Using AllowedValues within a CloudFormation parameter allows you to restrict the values that a user can input for that parameter. In this case, the parameter would represent the EC2 instance type, and AllowedValues would contain the list of approved instance types. This ensures that only approved instance types are used when the CloudFormation stack is created. This approach is scalable, maintainable, and enforces the requirement to select only from the approved list.

Reasons for not choosing the other options:

Option A: Creating a separate CloudFormation template for each EC2 instance type is not scalable or maintainable. It would result in a large number of templates, making it difficult to manage and update the infrastructure.

Option B: Creating resources for each EC2 instance type in the Resources section is also not a good practice. It would mean that all instance types are potentially created, which contradicts the requirement to choose from an approved list. Moreover, it does not allow the user to select which instance type to use during stack creation.

Option C: Creating a separate parameter for each EC2 instance type is also not scalable. It would lead to a large number of parameters and would be difficult to manage. Furthermore, it doesn't provide a clear way to enforce the user to choose only one instance type from the approved list.

Citations:

AWS CloudFormation Parameters, https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/parameters-section-structure.html

Question 7

A developer has an application that makes batch requests directly to Amazon DynamoDB by using the BatchGetItem low-level API operation. The responses frequently return values in the UnprocessedKeys element.
Which actions should the developer take to increase the resiliency of the application when the batch response includes values in UnprocessedKeys? (Choose two.)

A. Retry the batch operation immediately.
B. Retry the batch operation with exponential backoff and randomized delay.
C. Update the application to use an AWS software development kit (AWS SDK) to make the requests.
D. Increase the provisioned read capacity of the DynamoDB tables that the operation accesses.
E. Increase the provisioned write capacity of the DynamoDB tables that the operation accesses.

Correct Answer: BD

Explanation:

The best approach to increase the resilience of the application when encountering `UnprocessedKeys` in DynamoDB `BatchGetItem` responses involves retrying with an appropriate strategy and potentially adjusting provisioned capacity. Here's a breakdown:

The suggested answer is BD.

Reason for choosing B: The presence of `UnprocessedKeys` often indicates that DynamoDB is unable to process all the requested items in a single batch operation, frequently due to throttling or temporary capacity limitations. Retrying the batch operation with exponential backoff and randomized delay is a recommended strategy to handle throttling situations. This approach allows the application to gradually reduce its request rate, giving DynamoDB time to recover and process subsequent requests. The randomized delay helps to avoid multiple clients retrying simultaneously, which could exacerbate the throttling issue.
Reason for choosing D: When `UnprocessedKeys` are frequently returned, it can indicate that the table's provisioned read capacity is insufficient to handle the request volume. Increasing the provisioned read capacity of the DynamoDB tables allows DynamoDB to handle more read requests concurrently, reducing the likelihood of throttling and `UnprocessedKeys` responses.

Reasons for not choosing other answers:

A: Retrying the batch operation immediately without any delay is likely to exacerbate the problem if the issue is due to throttling. DynamoDB will continue to reject the requests if it's already overloaded.
C: While using an AWS SDK is generally recommended for simplifying interactions with AWS services, it doesn't directly address the issue of `UnprocessedKeys`. The SDK provides retry mechanisms, but they typically involve exponential backoff, which is already covered by option B. Simply using an SDK without implementing a proper retry strategy won't resolve the problem.
E: `UnprocessedKeys` are associated with read operations using `BatchGetItem`. Increasing write capacity (option E) is not relevant to this specific problem. Write capacity is related to operations that modify data in the table, such as `PutItem`, `UpdateItem`, or `DeleteItem`.

In summary, the most likely cause of `UnprocessedKeys` is throttling due to insufficient read capacity or temporary limitations, and exponential backoff coupled with potentially increasing read capacity will resolve the issue.

Citations:

AWS DynamoDB BatchGetItem Documentation, https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_BatchGetItem.html
AWS DynamoDB Developer Guide - Error Retries and Exponential Backoff, https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/Programming.Errors.html

Question 8

A company is running a custom application on a set of on-premises Linux servers that are accessed using Amazon API Gateway. AWS X-Ray tracing has been enabled on the API test stage.
How can a developer enable X-Ray tracing on the on-premises servers with the LEAST amount of configuration?

A. Install and run the X-Ray SDK on the on-premises servers to capture and relay the data to the X-Ray service.
B. Install and run the X-Ray daemon on the on-premises servers to capture and relay the data to the X-Ray service.
C. Capture incoming requests on-premises and configure an AWS Lambda function to pull, process, and relay relevant data to X-Ray using the PutTraceSegments API call.
D. Capture incoming requests on-premises and configure an AWS Lambda function to pull, process, and relay relevant data to X-Ray using the PutTelemetryRecords API call.

Correct Answer: B

Explanation:

The best way to enable X-Ray tracing on on-premises servers with the least amount of configuration is to install and run the X-Ray daemon on the on-premises servers to capture and relay the data to the X-Ray service.

Reasoning: The X-Ray daemon is specifically designed to collect trace data from applications and forward it to the X-Ray service. This approach minimizes the configuration needed on the on-premises servers, as it handles the complexities of data transmission and authentication. It is also more straightforward than implementing custom solutions involving Lambda functions.

Why other options are not the best:

Option A: Installing and running the X-Ray SDK requires more configuration and development effort compared to using the daemon. The SDK needs to be integrated directly into the application code, which can be more complex and time-consuming.
Option C: Capturing requests and using a Lambda function to relay data is an overly complex solution. It introduces additional overhead and requires managing a Lambda function, which is not the most efficient approach.
Option D: Similar to option C, using a Lambda function with PutTelemetryRecords is unnecessarily complex. PutTelemetryRecords is generally used for metrics and other telemetry data, not specifically for X-Ray tracing segments.

Citations:

AWS X-Ray Concepts: https://docs.aws.amazon.com/xray/latest/devguide/aws-xray-concepts.html
AWS X-Ray Daemon: https://docs.aws.amazon.com/xray/latest/devguide/xray-daemon.html

Question 9

A company wants to share information with a third party. The third party has an HTTP API endpoint that the company can use to share the information. The company has the required API key to access the HTTP API.
The company needs a way to manage the API key by using code. The integration of the API key with the application code cannot affect application performance.
Which solution will meet these requirements MOST securely?

A. Store the API credentials in AWS Secrets Manager. Retrieve the API credentials at runtime by using the AWS SDK. Use the credentials to make the API call.
B. Store the API credentials in a local code variable. Push the code to a secure Git repository. Use the local code variable at runtime to make the API call.
C. Store the API credentials as an object in a private Amazon S3 bucket. Restrict access to the S3 object by using IAM policies. Retrieve the API credentials at runtime by using the AWS SDK. Use the credentials to make the API call.
D. Store the API credentials in an Amazon DynamoDB table. Restrict access to the table by using resource-based policies. Retrieve the API credentials at runtime by using the AWS SDK. Use the credentials to make the API call.

Correct Answer: A

Explanation:

The best solution to securely manage the API key, without affecting application performance, is to use AWS Secrets Manager. Therefore, the suggested answer is A.

Reasoning:

Option A is the most secure and efficient solution. AWS Secrets Manager is designed specifically for managing secrets like API keys. It offers encryption, access control, and rotation features. Retrieving the secret at runtime using the AWS SDK allows the application to access the key without embedding it in the code, addressing the security requirement. Furthermore, AWS Secrets Manager is optimized for low latency retrieval, minimizing the impact on application performance.

Reasons for not choosing the other options:

Option B is incorrect because storing API credentials in a local code variable and pushing the code to a Git repository is highly insecure. If the repository is compromised, the API key would be exposed. This directly violates the security requirements.
Option C is incorrect because while using a private Amazon S3 bucket with IAM policies can secure the API key, it adds unnecessary complexity compared to AWS Secrets Manager. S3 is designed for object storage, not secret management, making it a less ideal solution.
Option D is incorrect because using an Amazon DynamoDB table with resource-based policies also adds unnecessary complexity compared to AWS Secrets Manager. DynamoDB is a NoSQL database, not a secret management service, making it a less suitable choice.

Therefore, Option A is the best approach as it leverages a service specifically designed for secret management, ensuring both security and minimal impact on application performance.

Detailed Explanation:
AWS Secrets Manager simplifies the task of managing secrets, including database credentials, passwords, API keys, and other sensitive information. It enables you to easily rotate, manage, and retrieve secrets throughout their lifecycle. By using Secrets Manager, you improve your security posture and reduce the risk of hardcoding sensitive information in your application code. Retrieving the credentials at runtime means they are not stored directly in the application, which is important for security and compliance.
Storing secrets in code (Option B) is a well-known anti-pattern. While S3 and DynamoDB (Options C and D) can be used to store secrets, they lack the specialized features of Secrets Manager, such as automatic rotation and fine-grained access control designed specifically for secrets. These options also increase the operational overhead.

The key requirements are secure storage and minimal performance impact. AWS Secrets Manager fulfills both.

Citations:

AWS Secrets Manager, https://aws.amazon.com/secrets-manager/

Question 10

A developer is deploying a new application to Amazon Elastic Container Service (Amazon ECS). The developer needs to securely store and retrieve different types of variables. These variables include authentication information for a remote API, the URL for the API, and credentials. The authentication information and API URL must be available to all current and future deployed versions of the application across development, testing, and production environments.
How should the developer retrieve the variables with the FEWEST application changes?

A. Update the application to retrieve the variables from AWS Systems Manager Parameter Store. Use unique paths in Parameter Store for each variable in each environment. Store the credentials in AWS Secrets Manager in each environment.
B. Update the application to retrieve the variables from AWS Key Management Service (AWS KMS). Store the API URL and credentials as unique keys for each environment.
C. Update the application to retrieve the variables from an encrypted file that is stored with the application. Store the API URL and credentials in unique files for each environment.
D. Update the application to retrieve the variables from each of the deployed environments. Define the authentication information and API URL in the ECS task definition as unique names during the deployment process.

Correct Answer: A

Explanation:

The best approach for a developer to securely store and retrieve different types of variables, including authentication information for a remote API, the URL for the API, and credentials, with the fewest application changes, is to use AWS Systems Manager Parameter Store in conjunction with AWS Secrets Manager. Therefore, the suggested answer is A.

Reasoning:

AWS Systems Manager Parameter Store is suitable for storing configuration data, such as the API URL. It allows storing data in a hierarchical structure with versioning and encryption.
AWS Secrets Manager is designed specifically for securely storing secrets such as database credentials, API keys, and other sensitive information. It offers features like automatic rotation and encryption at rest and in transit.
Using unique paths in Parameter Store for each variable in each environment and storing credentials in Secrets Manager ensures that each environment has its own set of configurations and secrets. This follows the best practice of separating environments for security and stability.
By retrieving variables from these services, the application logic remains consistent across different environments (development, testing, and production). Only the paths/names of the parameters or secrets change, not the retrieval method.

Reasons for not choosing other options:

Option B: Using AWS Key Management Service (AWS KMS) directly to store the API URL and credentials is not ideal. KMS is primarily for encryption and decryption keys, not for storing configuration data or secrets directly. While KMS can encrypt secrets, Secrets Manager provides a more complete solution with features like rotation and auditing.
Option C: Storing variables in an encrypted file with the application has several drawbacks. It requires managing encryption keys, distributing the file securely, and updating the application code whenever the variables change. This approach is less secure and more complex than using Parameter Store and Secrets Manager.
Option D: Defining the authentication information and API URL in the ECS task definition as unique names during the deployment process is not recommended. Task definitions are typically version-controlled and should not contain sensitive information directly. It also makes it difficult to manage and rotate secrets securely. Moreover, embedding configuration directly into task definitions leads to more application changes when configuration updates are needed.

The combination of Parameter Store and Secrets Manager offers a secure, scalable, and manageable solution for storing and retrieving variables with minimal application changes.

AWS Systems Manager Parameter Store, https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-parameter-store.html
AWS Secrets Manager, https://aws.amazon.com/secrets-manager/

[Amazon] DVA-C02 - Developer Associate Exam Dumps & Study Guide

Free [Amazon] DVA-C02 - Developer Associate Practice Questions Preview

Question 1

Question 2

Question 3

Question 4

Question 5

Question 6

Question 7

Question 8

Question 9

Question 10